Are you using your PocketPC to store or retrieve sensitive personal information or proprietary corporate data? Microsoft claims that the Windows Mobile operating system is secure enough for the enterprise, but that’s not quite true. In this article, Seth Fogie exposes some weaknesses in 3rd-party security software for Pocket PC.

Microsoft claims that the Windows Mobile operating system is secure enough
for the enterprise. That's not quite true, since unlike Windows XP,
handhelds don't have advanced security architecture. For example, PocketPCs
have no Kerberos authentication, Encrypting Filesystem, or a built-in firewall.
In fact, even the much-touted Mobile2Mobile "secure" signing process
for .DLLs and .exes can be bypassed with a simple buffer overflow, thus
potentially allowing malware to take over your device1.

However, once you understand the limitations, you can then plan your Windows
Mobile rollout more carefully. Fortunately, there is a great deal of
3rd party security software out there. Unfortunately, much of it is
completely insecure. Sadly, Windows Mobile developers have not yet been held up
to the same scrutiny as desktop software developers. For instance, you may think
your "encrypted" or "secure" data is safe on a Pocket PC
because the vendor stated as much, when in reality the data is insecure.

In this paper, we expose some weaknesses in 3rd-party security
software for Pocket PC. Note that we are not assigning blame to any of the
developers; in fact, some of them responded quickly and were eager to get
feedback and to fix the bugs. On the other hand, some were angry, threatening,
and even dismissive. For us, it doesn't matter if software has bugs. All
software has flaws; that's why you should always use "layered"
security. It is the responsiveness of a developer, and their willingness to fix
the product, that helps us define a quality developer.

This is not an attempt to criticize any vendors. We selected the target
applications at random using the search engines provided by reseller websites.
We are also not disparaging the Windows Mobile platform. In fact, we love it and
use it every day. We simply want to make it stronger and more secure. By raising
user awareness, perhaps more people will pay more attention to how their data is
stored. The principle of "security through obscurity" has long been a
discredit.

Background

According to the 2005 Pointsec Mobile Usage Survey2 an estimated 22% of PDA
owners have lost their devices. Combine this with the statistic that 81% of
those lost devices had no protection (e.g. PIN or encryption), and the problem
gets worse. Yet the same survey indicates that 37% of PDAs have sensitive
information on them, such as passwords, bank account information, corporate data
and more.

NOTE

If you think PDA security isn't a real subject, just consider the
possibility that there is someone out there right now with your name, email,
phone number, and birth date and more stored on a digital device that was just
left in a taxi cab — not a comforting thought.

Thankfully, a security conscious person can find, download, and install a
plethora of software that will help them remain productive, yet keep their data
secure inside an encrypted file in the event the device is lost or stolen. On
the surface, these programs are an excellent idea. Financial information,
passwords, credit card numbers, and even project files can all be locked up and
secured. In addition, passwords that are entered into the PDA for service
oriented programs (e.g. remote access, email, chat, etc.) are protected from
prying eyes using masking techniques so an attacker can learn that information.
Unfortunately, as we discovered, more often than not the security mechanisms are
nothing but an illusion at worst, or terribly flawed at best. The end result is
that the user is placing their trust in a broken program that is insecure. This
paper will address many of the issues we found and what you can look for when
investigating the quality of your "secure" program.

1Airscanner will be releasing a paper illustrating this fourth quarter
2006.